The myth of King Midas warns us that what we initially perceive as a blessing can also be a curse. Turning objects into gold with the slightest touch would be a magnificent power to have; however, inadvertently transforming food, family and friends into gold would be a nightmare. Such is the case with technology. Our interconnected world and seemingly never-ending supply of even “smarter” smartphones and other devices provides us previously unimaginable power to share our ideas and make our complicated world more manageable. Calling these advantages of technology a blessing hardly seems hyperbolic; yet, with the good also comes the potential for bad.
For auditors and compliance professionals, both the greatest advantage and the greatest threat of the digital world is big data. By following the digital footprints left by the company around the world, auditors can now seek the truth about employee actions and company operations more objectively and efficiently than ever before. The challenge, however, is in effectively managing the sheer volume of sensitive information that the company and its employees create, share and store on these powerful devices. For example, an employee’s personal Facebook update could reveal proprietary information; a stolen laptop can be akin to losing control of a safety deposit box; hackers could break into the company’s computer network and export confidential data; companies can lose access to their data that’s stored in the cloud; and then there are the complexities caused by the wild variation in country-specific data privacy laws. It can be enough to make your head spin.
Below are five high-tech compliance challenges to watch out for and tips for overcoming them:
1. Social Media: Managing Risk and Balancing Employee Privacy
The world of social media – be it Facebook, Twitter, Instagram or countless others – is complicated because it’s a mix of the personal (“here is a photo of my daughter at camp”), commercial (“Jim likes Visa”), and often, something in between (“I can’t believe what my employer, XYZ Corp., is doing – it’s so unfair…”).
But its use by employees can also be downright unacceptable. Employees have used social media to sexually harass other employees. Hospital workers have used it to post patient pictures and protected health information. At other times, employees have revealed confidential financial information about their companies through their social media accounts. Such conduct exposes employers to serious legal and compliance risks. As a result, internal auditors are being asked to develop safeguards around legitimate uses of social media in the workplace and to actively defend against its misuse.
This task, however, presents a formidable challenge, and auditing compliance with corporate social media policies has recently been made more difficult by the need to also comply with the laws that limit an employer’s ability to examine an employee’s or a job applicant’s social media postings. These laws have already been passed by 12 states and similar legislation is pending in over 30 more.
At first blush, these laws champion a new level of e-privacy by prohibiting employers from requiring employees to provide them with their user names and passwords for their personal social media accounts – a step most of us would welcome as a good idea. The reality, however, is much more complex because these laws may also – inadvertently, in some cases – limit an employer’s ability to access employee accounts when conducting legitimate and necessary internal investigations. An additional obstacle is that each statute provides different definitions and scopes of privacy protection. For example, while some laws have exceptions for employee misconduct, other statutes have no such exceptions.
For the foreseeable future, we can expect more regulation in this area. As auditors and compliance professionals, we must make sure we are on the right side of the law even as we work to ensure other regulations and laws haven’t been broken. Before you begin your audits or investigations, make sure you know whether any of these laws apply and exactly what you are permitted to do.
2. Laptops: Protecting Your Roving Safety Deposit Boxes
In today’s world of international commerce and the ease with which we travel the globe carrying thousands of gigabytes of data on laptops (not to mention thumb-drives or other portable storage devices), we must appreciate the fact that in many countries, the only way that data is totally secure is if the laptop is powered down, unconnected to the internet, and under constant physical control. Absent these procedures, in fact, there are several countries in which all the proprietary and vital data stored on these devices can be stolen by state-sponsored digital eavesdroppers the first time you log onto the internet within their borders. It is a popular belief that the Chinese government, for example, actively sponsors the theft of intellectual property both by hacking data from across the Pacific and also by taking advantage of travelers who bring it with them when crossing into China.
It is important to have corporate policies and procedures designed to mitigate these risks and stop that from happening. For example, many companies provide employees access to “travel laptops” that, while fully capable of executing vital business functions, are stripped of any truly proprietary, sensitive, or secure information. It is also important to make sure your information security policies are up-to-date, understandable to the vast majority of non-tech employees, and last but not least, auditable.
Specifically, make sure that your information security policies cover at least the following areas: the creation, transmission, transport and retention of information; when and how information can be disposed of and/or removed from corporate servers/storage; remote, wireless, electronic and physical access to the corporate network; and security precautions to use while traveling.
3. Smartphones and Tablets: Watching the Doors that Hackers Use
Beyond the dangers described above, auditors and compliance professionals must also be aware that mobile devices and applications are also the focus of hackers because they can make for a much easier doorway to your data. It’s recently been reported, for example, that about 99% of all Android devices are vulnerable to hackers who could use malicious code to access and change sensitive data through otherwise legitimate mobile applications.
Managing threats like these requires a close working relationship between auditors and technologists in the IT department. Whether or not your colleagues make use of Android devices, it is vitally important to coordinate with your IT department to identify what sensitive or proprietary information is contained on any of their mobile devices that a malicious intruder could access and potentially misuse without the user’s knowledge or consent. You should also examine what data on company servers can be accessed from those mobile devices and whether or not there are known vulnerabilities to your security protocols.
One tool the audit/IT partnership should consider implementing is an automated alarm that alerts you if any data is uploaded to external sites and allows you to actively investigate those cases. If an employee is stealing your vital data or hackers are at work in your system, it is essential to identify and investigate any situation in which your data may be in jeopardy. But it’s also important to remember that some employees whose systems are implicated may be unaware that anything has even happened. Whether you turn to external providers of such solutions or develop them in house, such tools are critically important and help you safeguard your most valuable information.
4. The Cloud: Controlling Your Data When You Don’t Control the Server
Increasingly, organizations are turning to external cloud-service providers to host their data. The reasons for this are simple – cloud computing often means lower IT costs and access to the corporate network and systems from anywhere Internet access is available. But any solution that results in a company giving up or accepting less control over its electronic data and IT environment brings with it additional risks. Is your data more subject to theft? Does the cloud solution you’re considering expose the company to different or more complicated legal obligations? Could a technology failure in the cloud deprive your employees access to your data or deny your customers access to your services?
Whether your organization is considering the implementation of cloud-based solutions or has already has taken that leap, auditors should pay special attention to the following: where the data is actually stored and whether that jurisdiction exposes the company to any additional legal or compliance requirements; whether cloud-computing is permissible for all types of data routinely kept by the company; whether the cloud provider can use any of your data for its own purposes, and if so, whether the provider must seek your pre-approval in all circumstances; what rights and limitations you have in the event that you are served with a subpoena or other legal request for information; what security measures are in place by the service provider; and what redundancies are available should the cloud require service and/or experience any outages.
This represents another opportunity for audit, compliance and IT professionals to work together, as effectively managing these risks will safely open up powerful business tools and opportunities.
5. Data Privacy Laws: Avoiding The Trip-Wires Of Complex Regulations
The laws governing the transference and sharing of data vary wildly from country to country with some of the strictest being in Europe. At their most basic, these laws restrict a company’s ability to collect, store, transmit or examine “personally identifiable data.” This term is generally defined to include anything that could be used to identify a specific individual, including name, address, job title, telephone number or email address – in other words, it covers almost every form of data that would be relevant to an audit, internal investigation or compliance risk assessment.
To better illustrate how these laws impact an auditor’s job, imagine a somewhat routine task such as investigating whether or not one or more employees may be engaged in improper activities. What specific steps you can take to accomplish that review is directly tied to where the individual employees are based and where their data is stored.
If the employees or their data were in France, for example, you would likely have to consult with Works Council, a group of employee representatives, to make sure they agreed on the legal basis for the examination of personal data and that your approach was tailored to exclude anything marked “private” or “personal.” In addition, you may also be required to register your review with CNIL, the French Data Privacy Authority. Then depending on a variety of factors, you may not be able to transmit any evidence or probative information back to the United States for review. Noncompliance with restrictions like these can subject you and your company to criminal and civil sanctions.
If you’re used to performing these investigations in the United States, where corporate emails can generally be reviewed when the company alone determines such a step is warranted, these limitations can be hard to believe – especially when all you’re trying to do is confirm that the company and its employees are behaving ethically, legally and within the bounds of corporate policies and procedures.
Make sure you understand and respect the laws of any country, particularly those that deal with data privacy and protection, before you begin your audit.
The myth of King Midas ends on a good note. When he cried to the Greek gods, they turned everything he touched back to normal. But for all of us here in reality, there’s no turning back. The best we can do is keep these issues at the forefront of our minds and make sure that the conveniences and advantages of technology always outweigh the potential for chaos it can invite.
 The twelve states are Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah, Vermont and Washington.